CVE-2026-33990
SSRF Vulnerability in Docker Model Runner Allows Internal Data Exposure
Publication date: 2026-04-01
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| docker | model_runner | to 1.1.25 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized disclosure of sensitive information from internal services by enabling an attacker to make arbitrary requests to internal URLs and relay data back to an attacker-controlled registry.
Such unauthorized disclosure of sensitive data could potentially impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive and personal information against unauthorized access or leaks.
However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.
Can you explain this vulnerability to me?
CVE-2026-33990 is a Server-Side Request Forgery (SSRF) vulnerability in Docker Model Runner (DMR), a software used to manage, run, and deploy AI models using Docker. The vulnerability exists in the OCI registry token exchange flow prior to version 1.1.25.
When pulling a model, Model Runner follows the realm URL from the registry's WWW-Authenticate header without validating the scheme, hostname, or IP range. A malicious OCI registry can exploit this by setting the realm to an internal URL (e.g., http://127.0.0.1:3000/), causing Model Runner running on the host to make arbitrary GET requests to internal services.
The full response body from these internal services is then reflected back to the attacker. Additionally, the token exchange mechanism can relay data from internal services back to the attacker-controlled registry via the Authorization: Bearer header.
This allows an unprivileged container or a malicious OCI registry to issue GET requests to host-local services, including localhost and internal network addresses, potentially exposing sensitive information.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information from internal services running on the host or internal network. An attacker controlling a malicious OCI registry or an unprivileged container can make Docker Model Runner perform arbitrary GET requests to internal URLs.
The attacker can receive the full response bodies from these internal services, potentially exposing confidential data.
Furthermore, the token exchange mechanism can be abused to relay data from internal services back to the attacker, increasing the risk of data leakage.
This can compromise the confidentiality of your internal systems and data, especially if Docker Model Runner is exposed to localhost over TCP in certain configurations.
Mitigation involves updating Docker Model Runner to version 1.1.25 or later, or enabling Enhanced Container Isolation (ECI) in Docker Desktop to block container access to Model Runner.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Docker Model Runner making arbitrary GET requests to internal services when pulling models from a malicious OCI registry. Detection can focus on monitoring network traffic for unusual outbound requests from the Docker Model Runner process to internal IP addresses such as 127.0.0.1 or other internal network ranges.
You can check the version of Docker Model Runner installed to determine if it is vulnerable (versions prior to 1.1.25 are affected).
- Check Docker Model Runner version: `docker model-runner --version` or check the installed package version.
- Monitor network connections from the Docker Model Runner process for suspicious outbound HTTP GET requests to internal IPs, for example using `netstat -anp | grep <model-runner-process>` or `ss -tunap | grep <model-runner-process>`.
- Use packet capture tools like `tcpdump` or `wireshark` to inspect HTTP requests originating from the host running Docker Model Runner, looking for requests to internal IP addresses or unusual Authorization headers.
- Review logs of Docker Model Runner and Docker Desktop for any unexpected token exchange or registry authentication flows.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update Docker Model Runner to version 1.1.25 or later, which contains the patch for this SSRF vulnerability.
For Docker Desktop users, upgrading to version 4.67.0 or later is recommended, as it includes the patched Model Runner.
As a workaround, enabling Enhanced Container Isolation (ECI) in Docker Desktop can block container access to Model Runner, preventing exploitation.
Be aware that if Docker Model Runner is exposed to localhost over TCP in certain configurations, the vulnerability may still be exploitable, so review and restrict such exposure.